MyCareer.com.au

Why Windows is a security nightmare

Security in all mainstream operating systems is non-existent; however, things
are especially bad for Windows. Windows happens to be the favourite target of
worm and virus writers. Conventional wisdom suggests that the huge installed
base of Windows helps spread the worms and viruses, and also makes it a highly
attractive target for worm/virus writers. The installed base certainly has an undeniable effect on the prevalence of malware on Windows, but this is not all there is to it.

Worms and viruses are so stunningly effective on Windows only because Windows provides some atrocious functionality which makes it easy for worms to strike. It might seem counterintuitive but Windows Registry, and a misdesigned Windows Update are the primary culprits that create a hospitable environment for
worms and other malware.

A typical Windows system follows a simple lifecycle: it starts out with a clean
installation, which gradually deteriorates as programs are installed, and
uninstalled. Eventually, the registry accumulates so much crud that
the user is forced to do a clean install. When a user does a clean install
that user's system loses all the previously applied security updates, and
becomes a sitting duck for worms and other malware.

Things wouldn't be so bad if the user was able to update the new system
with security patches painlessly, but Windows Update makes it very hard to do so.
My personal experience with the killer duo is an enlightening example of how
all of this works.

I purchased a Thinkpad X21 with Windows 2000 Professional in January 2002, and
since then I have gone through three clean install cycles. After the second
cycle I decided to stick with a deteriorating installation no matter what
happened.

As expected, pretty quickly the registry started accumulating all sorts of
rubbish, and the system started exhibiting strange bugs. First, Mozilla stopped
working; reinstallations, uninstallations, upgrades did not resolve the
problem, so I switched to Opera.

A few months later Windows Explorer started to hang when right clicking on folders. I
did my best to search for a solution to this problem on the internet, but never
managed to find one. Resigned, I eventually learned to avoid right
clicks on folders, and became adept at killing and reinvoking the explorer
process after an inadvertent forbidden click.

Then I made the mistake of installing the 30-day demo of VMWare on my system. As soon
as I booted Linux under it as a guest OS, the sound card went bonkers and
started producing high-pitched screeching sounds. I tried reboots which didn't
solve the problem; as a last resort I uninstalled VMWare but that didn't do any good either. This
forced me to lower the volume of the speakers to muffle the screeching, but I
continued using the same set-up.

Finally, I had the bright idea of downloading a registry cleaner to fix things.
The product I downloaded turned out to be some pathetic crippleware, and I
uninstalled it. Well, that was the fatal fatal mistake; the next time I
rebooted, Windows refused to load. Safe mode, last known good configuration,
etc., all failed, and so I was forced to do a clean install.

As expected the clean install took care of the bugs. However, it also got rid
of all the security updates. I immediately connected to Windows Update to
download the service packs, and the critical updates. Rather quickly I was
welcomed by
Messenger Service spam.
This was only a minor
inconvenience as I knew how to turn it off; however, within a short while I got
a message from Windows saying that svchost.exe had crashed: the Blaster worm
had struck.

The Blaster worm attacks Windows XP and Win2K systems. In order to infect a
system the worm needs to send the correct payload for the respective OS. The
worm is not able to differentiate between the XP and Win2K so it randomly
guesses the OS type; however, if it guesses wrong the RPC service crashes, and
Windows reports it as a crash of svchost. The Blaster attack was quite a
surprise as the major outbreak of the worm occurred back in August 2003, and I
was expecting that the worm would not affect recent versions of Windows.

I was in no position to do anything about the Blaster attack, so I continued
downloading the 35 MB service pack 4 over my dial-up connection. It took me a
couple of hours to download it, but Windows Update refused to install it; Windows
Update probably needed some functionality provided by the crashed svchost.exe.

I rebooted and connected to the internet, which was a mistake as I was
giving the worm a second chance to infect my system. Anyway, I proceeded to Windows
Update, and tried the same download again. Alas, Windows Update had forgotten
all about the 35 MB it had downloaded previously, and started downloading the
same stuff all over again. Worse, the Blaster worm crashed svchost again, and I
had to discontinue the download.

I knew about the existence of a standalone security update to patch the
vulnerability Blaster exploits, so I decided to bypass Windows Update and
download it directly. The download was small less than 1MB, but as soon as I
tried running it I learned that it requires at least service pack 2 to install,
which I didn't have.

Microsoft provides a separate download for service packs as well, and
I decided to download the latest service pack, service pack 4. Well, the
standalone service pack 4 distribution turned out to be a mammoth 129 MB
download. This is about the maximum I have ever downloaded over a dial-up
connection; a download of this size can easily take 10 or more hours to
complete.

Downloading a large file over dial-up requires the ability to resume downloads
which Internet Explorer does not provide, so I downloaded Wget to acquire that
ability. Wget is a commandline tool and is invoked by calling it with the URL
name. I tried pasting the URL on the command line, but it turns out that the
cut and paste functionality disappears after a Blaster attack, so I was forced to
manually type the URL.

Normally, typing a URL is not a big deal. Everyone types URLs all the time, and I do
too, but I do mind typing gibberish strings of 95 characters like the following:

To cut a long story short I managed to download and install the service
pack, and the Blaster security update. Finally, the Windows Update started
working and after another 30-40 MB of downloads, and three or so reboots, I managed
to installed the 18 security updates available there (another five have been added
to that number as of now).

After this experience I cannot help but laugh at the 'useability' problems Windows
users are reporting about GNOME and KDE. It has become pretty clear to me that
Windows users are so accustomed to usability problems that they don't even
recognise them as useability problems. But, as soon as these people
move to a different environment they start complaining simply because the new
environment does not replicate the features and bugs of Windows exactly.

The other big lesson from all this is that most Windows users are incapable of
"securing" their systems. This is precisely why an unprotected system gets
attacked in a matter of seconds, and spammers are still sending out Messenger
service spam. Worse, Microsoft is directly responsible for this state of
affairs. Windows encourage users to reinstall it every once in a while, and
when they do, Windows Update actively prevents users from updating their systems.

The whole idea of Windows Update is a joke. Using an unreliable and insecure
network as the primary means of distributing security updates is simply
idiotic. This is like asking people to walk through a minefield to get to a
shelter. I was able to download security updates off the internet only because
the current generation of worms are not particularly malicious; they are just
minor irritants.

If Microsoft is serious about Windows security it needs to fix Windows Update,
and get rid of the damned registry for good. Unfortunately, Microsoft's
approach is to layer half-baked fixes over utterly broken things to keep them
going for as long as possible. Microsoft knows that there is a problem with the
registry, but the way it is dealing with it is by offering registry rollbacks,
and similar worthless functionality.

I did a search on Google for "System Restore Does Not Work" and as anticipated
there are plenty of complaints about XP's System Restore functionality.
Furthermore, such approaches - even if they somehow became reliable - would still
not work. There is a very simple reason for this - users cannot reliably
associate the problems they are experiencing with changes in the Registry. For
instance, if svchost crashes how is a user to know whether changes in the
Registry caused it or a worm caused it? The extra functionality is likely
to lead to futile rollbacks and additional frustration for the users.

The upcoming SP2 update for Windows XP is another good example of a clueless
fix. According to the reports I have read SP2 will enable the XP firewall by
default, and will also include many nifty features to protect the system. It is
pretty obvious that such updates cannot work in the presence of the Windows
Registry. Windows users who install any kind of software will sooner or later
be forced to downgrade because of Registry problems, and when they do they
will get fried.

I am not saying Microsoft should not do what is doing, but it should focus on
the more important things first. For the short term the correct approach is to
fix Windows Update so that users aren't forced to connect to a network to get
security updates. Windows Update should encourage users to create a Windows
Update CD that contains all the security updates the user has downloaded so
far. The CD should contain a setup routine that is capable of installing all
the updates in an automated fashion without requiring user intervention.
Inevitably, when the user downgrades he/she can use that CD to update the
system, and then connect to a network to download any further updates. Such a
CD should be shareable amongst users, so that if someone doesn't have an
update CD, he/she can simply get one from a friend or an acquaintance.

Actually, Microsoft does offer a
security update CD,
and is willing to ship it to customers free of charge. But, as always Microsoft
has made a mockery of a decent idea. First of all, 2-4 weeks are needed to
deliver the CD. Then there is the problem of availability, the CD is not
available everywhere (I live in Pakistan, and the CD is not available for
Pakistan). Also, the CD Microsoft is offering is horribly out of date. There is
no fix for this last problem, if Microsoft starts updating the CD every other
week, then people will start asking for a new CD every other week. Obviously,
shipping a CD to every customer every few weeks is quite an expense, and
Microsoft doesn't want that. So, the Microsoft Update CD is there just for
moral support.

Overall, Microsoft is flat-out confused about how to deal with Windows security
problems. The recent decision to
disallow
pirates access to Windows XP SP2 is another action reflective of that confusion. I can't understand why
Microsoft is so jittery about supporting pirates. Microsoft's paying customers
are suffering because of insecure Windows systems; therefore, Microsoft's first
priority should be to get the worm infected systems fixed. If this requires
distributing security updates to pirates, so be it.

Microsoft really needs to look beyond short-term remedies to solve security
problems. The company has to move away from its Windows roots in order to create
a secure operating system environment. Microsoft has a huge research and
development budget, and it just doesn't make sense why it cannot develop
a security-centred OS.

Usman Latif is an IT professional based in Pakistan. This article first appeared on his website and is reproduced with permission. Copyright rests with the author.